OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chromeos/network/certificate_helper.h" |
| 6 |
| 7 #include "crypto/scoped_test_nss_db.h" |
| 8 #include "net/cert/nss_cert_database.h" |
| 9 #include "net/test/cert_test_util.h" |
| 10 #include "net/test/test_data_directory.h" |
| 11 #include "testing/gtest/include/gtest/gtest.h" |
| 12 |
| 13 namespace chromeos { |
| 14 |
| 15 TEST(CertificateHelperTest, GetCertNameOrNickname) { |
| 16 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile( |
| 17 net::GetTestCertsDirectory(), "root_ca_cert.pem")); |
| 18 ASSERT_TRUE(cert.get()); |
| 19 EXPECT_EQ("Test Root CA", |
| 20 certificate::GetCertNameOrNickname(cert->os_cert_handle())); |
| 21 |
| 22 scoped_refptr<net::X509Certificate> punycode_cert(net::ImportCertFromFile( |
| 23 net::GetTestCertsDirectory(), "punycodetest.pem")); |
| 24 ASSERT_TRUE(punycode_cert.get()); |
| 25 EXPECT_EQ("xn--wgv71a119e.com", certificate::GetCertAsciiNameOrNickname( |
| 26 punycode_cert->os_cert_handle())); |
| 27 EXPECT_EQ("日本語.com", certificate::GetCertNameOrNickname( |
| 28 punycode_cert->os_cert_handle())); |
| 29 |
| 30 scoped_refptr<net::X509Certificate> no_cn_cert(net::ImportCertFromFile( |
| 31 net::GetTestCertsDirectory(), "no_subject_common_name_cert.pem")); |
| 32 ASSERT_TRUE(no_cn_cert.get()); |
| 33 // Temp cert has no nickname. |
| 34 EXPECT_EQ("", |
| 35 certificate::GetCertNameOrNickname(no_cn_cert->os_cert_handle())); |
| 36 } |
| 37 |
| 38 TEST(CertificateHelperTest, GetTypeCA) { |
| 39 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile( |
| 40 net::GetTestCertsDirectory(), "root_ca_cert.pem")); |
| 41 ASSERT_TRUE(cert.get()); |
| 42 |
| 43 EXPECT_EQ(net::CA_CERT, certificate::GetCertType(cert->os_cert_handle())); |
| 44 |
| 45 crypto::ScopedTestNSSDB test_nssdb; |
| 46 net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
| 47 test_nssdb.slot())) /* public slot */, |
| 48 crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
| 49 test_nssdb.slot())) /* private slot */); |
| 50 |
| 51 // Test that explicitly distrusted CA certs are still returned as CA_CERT |
| 52 // type. See http://crbug.com/96654. |
| 53 EXPECT_TRUE(db.SetCertTrust(cert.get(), net::CA_CERT, |
| 54 net::NSSCertDatabase::DISTRUSTED_SSL)); |
| 55 |
| 56 EXPECT_EQ(net::CA_CERT, certificate::GetCertType(cert->os_cert_handle())); |
| 57 } |
| 58 |
| 59 TEST(CertificateHelperTest, GetTypeServer) { |
| 60 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile( |
| 61 net::GetTestCertsDirectory(), "google.single.der")); |
| 62 ASSERT_TRUE(cert.get()); |
| 63 |
| 64 // Test mozilla_security_manager::GetCertType with server certs and default |
| 65 // trust. Currently this doesn't work. |
| 66 // TODO(mattm): make mozilla_security_manager::GetCertType smarter so we can |
| 67 // tell server certs even if they have no trust bits set. |
| 68 EXPECT_EQ(net::OTHER_CERT, certificate::GetCertType(cert->os_cert_handle())); |
| 69 |
| 70 crypto::ScopedTestNSSDB test_nssdb; |
| 71 net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
| 72 test_nssdb.slot())) /* public slot */, |
| 73 crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
| 74 test_nssdb.slot())) /* private slot */); |
| 75 |
| 76 // Test GetCertType with server certs and explicit trust. |
| 77 EXPECT_TRUE(db.SetCertTrust(cert.get(), net::SERVER_CERT, |
| 78 net::NSSCertDatabase::TRUSTED_SSL)); |
| 79 |
| 80 EXPECT_EQ(net::SERVER_CERT, certificate::GetCertType(cert->os_cert_handle())); |
| 81 |
| 82 // Test GetCertType with server certs and explicit distrust. |
| 83 EXPECT_TRUE(db.SetCertTrust(cert.get(), net::SERVER_CERT, |
| 84 net::NSSCertDatabase::DISTRUSTED_SSL)); |
| 85 |
| 86 EXPECT_EQ(net::SERVER_CERT, certificate::GetCertType(cert->os_cert_handle())); |
| 87 } |
| 88 |
| 89 } // namespace chromeos |
OLD | NEW |